Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file

[Frank Siebenlist <franks@xxxxxxxxxxx>]

Cowles, Robert D. wrote:
> But such "ageeemwnts" are just a way of encoding the CA in the 
> random number.  
That is the "technical" solution.

I was more referring to the policy agreement that if CA-1 issues some 
uuid to me, that CA-2 will not issue that same number to you.

> What about number portability?  If I have a 
> number from CA-1 are you saying I can't take that cert to
> CA-2 and get a certificate from them?
>   
Ough... you're implementing already ;-)

I guess that you "are" your uuid after it is issued by the initial CA, 
so other CAs should probably be able to issue certificates that bind 
that same uuid to other keys after they are assured that it has the same 
key-holder associated with it.

Being able to limit the number of CAs that can do that through some form 
of enforced policy constraints is one of the main issues of this 
discussion...

-Frank.


> > -----Original Message-----
> > From: Frank Siebenlist [mailto:franks@mcs.anl.gov] 
> >     
> ...
>   
> > This means that when you allow multiple CAs to issue random 
> > numbers as 
> > names for subjects, those CAs should have some agreement that none of 
> > their fellow CAs should issue the same random number to a different 
> > person/entity. There are some technical solutions that could help to 
> > prevent collisions, but the main issue is one of policy conformance.
> >
> > -Frank.
> >     
>   
--
Frank Siebenlist               franks@mcs.anl.gov
The Globus Alliance - Argonne National Laboratory